diff options
| author | Mark Johnston <markj@FreeBSD.org> | 2021-05-26 13:57:38 +0000 |
|---|---|---|
| committer | Mark Johnston <markj@FreeBSD.org> | 2021-05-26 14:45:40 +0000 |
| commit | 771e95d2e2ee1b60539f1273c62837b48249590a (patch) | |
| tree | 66f50df4f3bde67856367356ff209f8f065ae233 | |
| parent | 71776d67198fadd7d96937c9bdd22063636b132b (diff) | |
| download | src-771e95d2e2ee1b60539f1273c62837b48249590a.tar.gz src-771e95d2e2ee1b60539f1273c62837b48249590a.zip | |
netsmb: Avoid a read-after-free in smb_t2_request_int()
Defer freeing the request structure until we've decided whether the
request should be retried.
PR: 255881
MFC after: 1 week
| -rw-r--r-- | sys/netsmb/smb_rq.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/netsmb/smb_rq.c b/sys/netsmb/smb_rq.c index 57bf053034ad..c5d5d0f85742 100644 --- a/sys/netsmb/smb_rq.c +++ b/sys/netsmb/smb_rq.c @@ -737,13 +737,13 @@ smb_t2_request_int(struct smb_t2rq *t2p) bad: smb_iod_removerq(rqp); freerq: - smb_rq_done(rqp); if (error) { if (rqp->sr_flags & SMBR_RESTART) t2p->t2_flags |= SMBT2_RESTART; md_done(&t2p->t2_rparam); md_done(&t2p->t2_rdata); } + smb_rq_done(rqp); return error; } |